| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a security fix from the stable/8.2 branch for two CVEs for the same
vulneratiblity:
CVE-2022-36440:
A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the
peek_for_as4_capability function. Attackers can maliciously construct
BGP open packets and send them to BGP peers running frr-bgpd, resulting
in DoS.
CVE-2022-40302:
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By
crafting a BGP OPEN message with an option of type 0xff (Extended Length
from RFC 9072), attackers may cause a denial of service (assertion
failure and daemon restart, or out-of-bounds read). This is possible
because of inconsistent boundary checks that do not account for reading
3 bytes (instead of 2) in this 0xff case.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-36440
https://nvd.nist.gov/vuln/detail/CVE-2022-40302
https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/
https://github.com/FRRouting/frr/issues/13202
Patch from:
https://github.com/FRRouting/frr/commit/02a0e45f66160f571196a105b217e1bb84d1a835
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
(cherry-picked from 795ccdd86cad05c425adae15af27797f42f33c56)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This removes the old unused license for netperf as upstream
moved to using the MIT license for netperf.
See: meta-openembedded commit 587fe5877790b6c2e1d337c351b8f50603ad4db9
Signed-off-by: Arsalan H. Awan <arsalan.awan@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 27bdecd1bcf1fa86bf4ebbc527fceb455efe2970)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
* cherry-picked from langdale "postfix: Upgrade to 3.7.3" commit
dd5226bed9cc76f2a26a1dce046d9de98c8b4cb4 without the upgrade.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
* do_populate_lic as well as do_configure fails in multilib builds, because S points to empty:
lib32-restinio/0.6.13-r0/lib32-restinio-0.6.13/dev
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The patch is modified by removing irrelevant and conflicting
CHANGELOG entry.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
Security Fixes:
CVE-2022-46392:
https://nvd.nist.gov/vuln/detail/CVE-2022-46392
CVE-2022-46393:
https://nvd.nist.gov/vuln/detail/CVE-2022-46393
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Links from https://nvd.nist.gov/vuln/detail/CVE-2019-11331 lead to
conclusion that this is how icurrent ntp protocol is designed.
New RFC is propsed for future but it will not be compatible with current
one.
See https://support.f5.com/csp/article/K09940637
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-${PV}.tar.gz
is just redirect to unsafe github archives which are regenerated from time to
time.
* We do have src-uri-bad QA check which prevents to use github archives in SRC_URI
since 2019:
https://github.com/openembedded/openembedded-core/commit/21f84fcdd659544437fe393285c407e1e9432043
but this cannot catch such redirects, see:
$ wget https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-878.30.4.tar.gz
--2023-01-31 10:06:02-- https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-878.30.4.tar.gz
Resolving opensource.apple.com (opensource.apple.com)... 17.253.73.203, 17.253.73.206, 2a01:b740:a26:f000::5, ...
Connecting to opensource.apple.com (opensource.apple.com)|17.253.73.203|:443... connected.
HTTP request sent, awaiting response... 302 Redirect
Location: https://github.com/apple-oss-distributions/mDNSResponder/archive/refs/tags/mDNSResponder-878.30.4.tar.gz [following]
--2023-01-31 10:06:02-- https://github.com/apple-oss-distributions/mDNSResponder/archive/refs/tags/mDNSResponder-878.30.4.tar.gz
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/apple-oss-distributions/mDNSResponder/tar.gz/refs/tags/mDNSResponder-878.30.4 [following]
--2023-01-31 10:06:02-- https://codeload.github.com/apple-oss-distributions/mDNSResponder/tar.gz/refs/tags/mDNSResponder-878.30.4
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ?mDNSResponder-878.30.4.tar.gz?
* The tarball was regenerated recently as discussed in:
https://github.com/orgs/community/discussions/45830
* Use top-level directory in S to fix DEBUG_PREFIX_MAP usage
like the version in master does, the only exception here is that
there still was top-level Makefile (which fails to set VER with:
Makefile:26: *** missing separator. Stop.
so use the simple one like newer version in master)
* it's already included in master as part of version upgrade in:
https://github.com/openembedded/meta-openembedded/commit/ec96eb577bd518b89e2e7834bd569ba269df458f
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-42917
https://www.suse.com/de-de/security/cve/CVE-2022-42917.html
https://bugzilla.suse.com/show_bug.cgi?id=1204124
Patch from:
[1] https://github.com/FRRouting/frr/commit/5216a05b32390a64efeb598051411e1776042624
[2] https://github.com/FRRouting/frr/commit/6031b8a3224cde14fd1df6e60855310f97942ff9
Per [2], update frr.pam to eliminate the warning issued by pam:
vtysh[485]: pam_warn(frr:account): function=[pam_sm_acct_mgmt] flags=0
service=[frr] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-41860:
In freeradius, when an EAP-SIM supplicant sends an unknown SIM option,
the server will try to look that option up in the internal dictionaries.
This lookup will fail, but the SIM code will not check for that failure.
Instead, it will dereference a NULL pointer, and cause the server to
crash.
CVE-2022-41861:
A flaw was found in freeradius. A malicious RADIUS client or home server
can send a malformed abinary attribute which can cause the server to
crash.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41860
https://nvd.nist.gov/vuln/detail/CVE-2022-41861
Patches from:
CVE-2022-41860:
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708
CVE-2022-41861:
https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From ec97a83702704bb02b00358c0d26e78294ad3254 Mon Sep 17 00:00:00 2001
From: Federico Pellegrin <fede@evolware.org>
Date: Thu, 6 Oct 2022 14:17:21 +0200
Subject: [kirkstone][PATCH] chrony: add pkgconfig class as pkg-config is
explicitly searched for
The configure script present in chrony will explicitly look for
pkg-config and without the pkgconfig class it will fail:
Checking for pkg-config : No
This then affects the possibility (via image features or bbappend)
to use features based on nettle/gnutls/nss which strictly require
pkgconfig to be present and working.
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Mitigate occurence where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d25967208bc8c4b1e2099e34150a67508744e4b9)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The kernel_add_regdb should run before do_compile to make it take
effect.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Changelog:
http://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.6.7.HISTORY
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is no need for these configs on their own and they would only mess
up the sechash and privdrop configs. To actually enable sechash one also
had to enable nss, and to enable privdrop one also had to enable libcap.
This also avoids passing --with-libcap if privdrop is enabled since the
option does not exist.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Support for readline was dropped in Chrony 4.2. Enabling the readline
PACKAGECONFIG would result in no suppport for command line editing as
only editline is supported and it would be disabled.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Revocation Checking
Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2022-40617
Affects "strongswan < 5.9.8"
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://downloads.isc.org/isc/dhcp
MR: 122791, 122806
Type: Security Fix
Disposition: Backport from https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/
ChangeID: e90f768e445b7d41b86f04c634cc125546998f0f
Description:
Fixed CVEs:
1. CVE-2022-2928
2. CVE-2022-2929
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch from using DISTUTILS_*_ARGS to SETUPTOOLS_*_ARGS to correspond
with the earlier change to use setuptools3_legacy instead of distutils3.
Without this change, you will get the following error if your build host
does not have iptables installed:
Fixes:
ERROR: ufw-0.36.1-r0 do_compile: 'python3 setup.py build ' execution failed.
Log data follows:
| DEBUG: Executing shell function do_compile
| ERROR: could not find required binary 'iptables'
| ERROR: 'python3 setup.py build ' execution failed.
| WARNING: exit code 1 from a shell command.
ERROR: Task ([snip]/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.36.1.bb:do_compile) failed with exit code '1'
Also, although the build will not fail on a host that has iptables, it
could cause a problem if it is installed at a different path than where
OpenEmbedded's iptables will be installed on the target.
Fixes: 3e2ed1dcc088 ("ufw: port to setuptools, use setuptools_legacy")
Signed-off-by: Howard Cochran <howard_cochran@jabil.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-37032:
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may
lead to a segmentation fault and denial of service. This occurs in
bgp_capability_msg_parse in bgpd/bgp_packet.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37032
Patch from:
https://github.com/FRRouting/frr/commit/3c4821679f2362bcd38fcc7803f28a5210441ddb
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2022-37049
CVE-2022-37048
CVE-2022-37047
CVE-2022-28487
CVE-2022-25484
CVE-2022-27939
CVE-2022-27940
CVE-2022-27941
CVE-2022-27942
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-31676:
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege
escalation vulnerability. A malicious actor with local
non-administrative access to the Guest OS can escalate privileges as a
root user in the virtual machine.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-31676
Patch from:
https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrade summary:
----------------
- drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with
upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af
- drop 0001-snmpd-always-exit-after-displaying-usage.patch backport
- rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually
- refresh patches with devtool to get rid of fuzz
Changelog:
----------
*5.9.3*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Windows:
- WinExtDLL: Fix multiple compiler warnings
- WinExtDLL: Make long strings occupy a single line Make it easier to
look up error messages in the source code by making long strings
occupy a single source code line.
- WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit
Windows systems") caused snmpd to skip MIB-II on 64-bit systems.
IF-MIB: Update ifTable entries even if the interface name has changed
At least on Linux a network interface index may be reused for a
network interface with a different name. Hence this patch that
enables replacing network interface information even if the network
interface name has changed.
unspecified:
- Moved transport code into a separate subdirectory in snmplib
- Snmplib: remove inline versions of container funcs".
misc:
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
*5.9.2*:
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf4a826c7de51dcdac87f81fa2bd2301629d50db)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 79ed6782a66590d769a516d8b4c15a4330bf7515)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
MR: 122044
Type: Security Fix
Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
Description:
CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit de66eb0c0dae0930f9e1ba7a358db1ae6b3f2849)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2022-37035:
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37035
Patch from:
https://github.com/FRRouting/frr/commit/71ca5b09bc71e8cbe38177cf41e83fe164e52eee
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test case tfork_cmd_send in smbtorture fails on target as it
requries a script located in the source directory:
$ smbtorture ncalrpc:localhost local.tfork.tfork_cmd_send
test: tfork_cmd_send
/buildarea/build/tmp/work/core2-64-poky-linux/samba/4.14.14-r0/samba-4.14.14/testprogs/blackbox/tfork.sh:
Failed to exec child - No such file or directory
This also triggers the buildpaths warning:
QA Issue: File /usr/bin/smbtorture in package samba-testsuite contains reference to TMPDIR [buildpaths]
Skip this test case in smbtorture to avoid the warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b8b5dbe03cb83df1bb6c6dc1cfbf5c2bf836cf9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release in order to address the following defects:
CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html
CVE-2022-32744: Samba AD users can forge password change requests for
any user.
https://www.samba.org/samba/security/CVE-2022-32744.html
CVE-2022-32745: Samba AD users can crash the server process with an LDAP
add or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html
CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html
CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html
Release Notes:
https://www.samba.org/samba/history/samba-4.14.14.html
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0afcb4be77acdb7af3624278ebd5869f0e88bdfe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Required by samba 4.14.14.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1cd743f8d8053cc9d34cd1a0204d4d333722e0f5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
wscript detects .git directory and if its present them invokes git
describe --dirty which does not work on the devtool created git
repository, since its synthesized.
Add GNU_SOURCE define to get strptime() definition
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 375be9fd60e22fb60b53d664983cb70d26d8a288)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
- This will move the dependencie of bash to wg-quick
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f36a158aa0b6dc5d595c08f33733f889a7202b36)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also change the git protocol to https.
Relevant changes:
- 18fbcd6 version: bump
- 3ec3e82 compat: handle backported rng and blake2s
- ba45dd6 qemu: give up on RHEL8 in CI
- c7560fd qemu: set panic_on_warn=1 from cmdline
- 33c87a1 qemu: use vports on arm
- 894152a netns: limit parallelism to $(nproc) tests at once
- f888673 netns: make routing loop test non-fatal
- f9d9b4d device: check for metadata_dst with skb_valid_dst()
- f909532 qemu: enable ACPI for SMP
- ec89ca6 socket: ignore v6 endpoints when ipv6 is disabled
- fa32671 socket: free skb in send6 when ipv6 is disabled
- ffb8cd6 qemu: simplify RNG seeding
- 4eff63d queueing: use CFI-safe ptr_ring cleanup function
- 273018b crypto: curve25519-x86_64: use in/out register constraints more precisely
- 4f4c019 compat: drop Ubuntu 14.04
- 743eef2 version: bump
- 3c9f3b6 crypto: curve25519-x86_64: solve register constraints with reserved registers
- 8e40dd6 compat: udp_tunnel: don't take reference to non-init namespace
- ea6b8e7 compat: siphash: use _unaligned version by default
- 5325bc8 ratelimiter: use kvcalloc() instead of kvzalloc()
- e44c78c receive: drop handshakes if queue lock is contended
- 5707d38 receive: use ring buffer for incoming handshakes
- 68abb1b device: reset peer src endpoint when netns exits
- ea3f5fb main: rename 'mod_init' & 'mod_exit' functions to be module-specific
- cb001d4 netns: actually test for routing loops
- 2715e64 compat: update for RHEL 8.5
- 2974725 compat: account for grsecurity backports and changes
- 50dda8c compat: account for latest c8s backports
- d378f93 version: bump
- fb4a0da qemu: increase default dmesg log size
- 8f4414d qemu: add disgusting hacks for RHEL 8
- fd7a462 allowedips: add missing __rcu annotation to satisfy sparse
- 383461d allowedips: free empty intermediate nodes when removing single node
- 03add82 allowedips: allocate nodes in kmem_cache
- b56d48c allowedips: remove nodes in O(1)
- 3c14c4b allowedips: initialize list head in selftest
- 4d8b7ed peer: allocate in kmem_cache
- 6fbc0e6 global: use synchronize_net rather than synchronize_rcu
- 405caf0 kbuild: do not use -O3
- b50ef4d netns: make sure rp_filter is disabled on vethc
- e67b722 version: bump
- 1edffe2 Revert "compat: skb_mark_not_on_list will be backported to Ubuntu 18.04"
- 2cf9543 compat: update and improve detection of CentOS Stream 8
- 122f06b compat: icmp_ndo_send functions were backported extensively
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e2a2320a7953fd70e8b416f9f6741d0b6654f280)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/lib/libfrr.a in package frr-staticdev contains reference to TMPDIR [buildpaths]
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/src/debug/frr/8.2.2-r0/git/lib/version.h in package frr-src contains reference to TMPDIR [buildpaths]
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/include/frr/version.h in package frr-dev contains reference to TMPDIR [buildpaths]
WARNING: frr-8.2.2-r0 do_package_qa: QA Issue: File /usr/bin/vtysh in package frr contains reference to TMPDIR
File /usr/lib/libfrr.so.0.0.0 in package frr contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8b76b6c8e3ffdb30da839408084289c57e292752)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: openipmi-2.0.32-r0 do_package_qa: QA Issue: File /usr/src/debug/openipmi/2.0.32-r0/OpenIPMI-2.0.32/swig/perl/OpenIPMI_wrap.c in package openipmi-src contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5abd81567d5ed091ed870abf24e51f260747d593)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: freeradius-3.0.21-r0 do_package_qa: QA Issue: File /usr/bin/radeapclient in package freeradius-utils contains reference to TMPDIR [buildpaths]
WARNING: freeradius-3.0.21-r0 do_package_qa: QA Issue: File /usr/lib/libfreeradius-server.so.0.0.0 in package freeradius contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1c91de67b4981f62ddc7308bf88c1a6f4a844fdb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: net-snmp-5.9.1-r0 do_package_qa: QA Issue: File /usr/include/net-snmp/net-snmp-config-64.h in package net-snmp-dev contains reference to TMPDIR
File /usr/bin/net-snmp-create-v3-user in package net-snmp-dev contains reference to TMPDIR [buildpaths]
WARNING: net-snmp-5.9.1-r0 do_package_qa: QA Issue: File /usr/lib/net-snmp/ptest/include/net-snmp/net-snmp-config.h in package net-snmp-ptest contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1bf83255aee9850bf5ce5138c4bdefbe9eeb120c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fix-openssl-no-des.patch
refreshed for version 5.65
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.5.
Bugfixes
Fixed handling globally enabled FIPS.
Fixed the default openssl.cnf path in stunnel.exe.
Fixed a number of MSVC warnings.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 72f84335cb372dbf00d2d07429a595fced0c4f4f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
Security bugfixes
OpenSSL DLLs updated to version 3.0.3.
New features
Updated the pkcs11 engine for Windows.
Bugfixes
Removed the SERVICE_INTERACTIVE_PROCESS flag in "stunnel -install".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6f3b52f4589bfa942e473488f91ecef85d339e78)
[New feature does not affect linux]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
# ndisc6: print NAT64 prefix if present.
# rdnssd: fix timeout calculation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c77bc200813dec8a1317ea6651d0f398a3fa5d65)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
CVE-2015-1611 and CVE-2015-1612 are not referred to our implementation
of openflow as specified by the NVD database, ignore them.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
| |
CVE-2002-0318 and CVE-2011-4966 are both patched in our version of
freeradius. The CPE in the NVD database doesn't reflect correctly
the vulnerable versions that's why they are incorrectly picked up.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
| |
CVE-2016-4049 is not affecting our version, so we can ignore it.
This is caused because the CPE in the NVD database doesn't specify
a vulnerable version range.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following CVEs are already patched so we can ignore them:
- CVE-2016-0749
- CVE-2016-2150
- CVE-2018-10893
This is caused by inaccurate CPE in the NVD database.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This upgrade includes the following CVE fixes:
- CVE-2021-4190
- CVE-2022-0581
- CVE-2022-0582
- CVE-2022-0583
- CVE-2022-0585
- CVE-2022-0586
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
| |
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
| |
CVE-2018-1078 is not for openflow but in the NVD database the
CVE is for a specific implementation that we don't have so we
can ignore it.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
| |
|
|
|
|
|
|
|
|
| |
The current version of usrsctp is not a release so cve-check
is not able to find the product version. CVE_VERSION is now set
to 0.9.3.0 that is the nearest version in the past starting from
the revision we have.
This is done because we don't have the complete 0.9.4.0 release.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
